WCF BasicHttpBinding 安全解析（2）BasicHttpBinding安全项

想对BasicHttpBinding的安全性做比较全面的了解，最好的办法还是从它的安全属性看起。下面展示的所有源代码通过反编译获得，这里我们根据需要选取关键的代码来分析，先看代码清单11-73。

代码清单11-73 BasicHttpBinding定义

1:  public class BasicHttpBinding : Binding, IBindingRuntimePreferences

2:

3:          {

4:

5:  private HttpTransportBindingElement httpTransport;

6:

7:  private HttpsTransportBindingElement httpsTransport;

8:

9:  private TextMessageEncodingBindingElement textEncoding;

10:

11:  private MtomMessageEncodingBindingElement mtomEncoding;

12:

13:  private BasicHttpSecurity security;

14:

15:  public BasicHttpBinding(BasicHttpSecurityMode securityMode)

16:

17:  {

18:

19:  this.security = new BasicHttpSecurity();

20:

21:  this.security.Mode = securityMode;

22:

23:  }

24:

25:  private BasicHttpBinding(BasicHttpSecurity security)

26:

27:  {

28:

29:  this.security = new BasicHttpSecurity();

30:

31:  this.security = security;

32:

33:  }

34:

35:          }

36:

从代码清单11-73中，我们可以看到关键的对象为BasicHttpSecurity，在构造函数中BasicHttpBinding类对其初始化并设置securityMode。下面我们看BasicHttpSecurity的定义。

代码清单11-74 BasicHttpSecurity定义

1:  public sealed class BasicHttpSecurity

2:

3:      {

4:

5:  internal const BasicHttpSecurityMode DefaultMode = BasicHttpSecurityMode.None;

6:

7:  private BasicHttpSecurityMode mode;

8:

9:  private HttpTransportSecurity transportSecurity;

10:

11:  private BasicHttpMessageSecurity messageSecurity;

12:

13:  public BasicHttpSecurityMode Mode

14:

15:          {

16:

17:              [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]

18:

19:  get

20:

21:              {

22:

23:  return this.mode;

24:

25:              }

26:

27:  set

28:

29:              {

30:

31:  if (!BasicHttpSecurityModeHelper.IsDefined(value))

32:

33:                  {

34:

35:  throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));

36:

37:                  }

38:

39:  this.mode = value;

40:

41:              }

42:

43:          }

44:

45:  public HttpTransportSecurity Transport

46:

47:          {

48:

49:              [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]

50:

51:  get

52:

53:              {

54:

55:  return this.transportSecurity;

56:

57:              }

58:

59:  set

60:

61:              {

62:

63:  this.transportSecurity = ((value == null) ? new HttpTransportSecurity() : value);

64:

65:              }

66:

67:          }

68:

69:  public BasicHttpMessageSecurity Message

70:

71:          {

72:

73:              [TargetedPatchingOptOut("Performance critical to inline this type of method across NGen image boundaries")]

74:

75:  get

76:

77:              {

78:

79:  return this.messageSecurity;

80:

81:              }

82:

83:  set

84:

85:              {

86:

87:  this.messageSecurity = ((value == null) ? new BasicHttpMessageSecurity() : value);

88:

89:              }

90:

91:          }

92:

93:  public BasicHttpSecurity()

94:

95:              : this(BasicHttpSecurityMode.None, new HttpTransportSecurity(), new BasicHttpMessageSecurity())

96:

97:          {

98:

99:          }

100:

101:  private BasicHttpSecurity(BasicHttpSecurityMode mode, HttpTransportSecurity transportSecurity, BasicHttpMessageSecurity messageSecurity)

102:

103:          {

104:

105:  this.Mode = mode;

106:

107:  this.transportSecurity = ((transportSecurity == null) ? new HttpTransportSecurity() : transportSecurity);

108:

109:  this.messageSecurity = ((messageSecurity == null) ? new BasicHttpMessageSecurity() : messageSecurity);

110:

111:          }

112:

113:      }

114:

根据代码清单11-74，我们对BasicHttpSecurity做简要的分析。首先看第一个属性——Mode。Mode是BasicHttpSecurityMode枚举值之一，表示安全类型，默认值为None。BasicHttpSecurityMode枚举共提供5种选择：

1) None：OAP 消息在传输过程中并不安全。 这是默认行为。

2) Transport：使用 HTTPS 提供安全性。 此服务必须使用 SSL 证书进行配置。 SOAP 消息是用 HTTPS 作为一个整体进行保护的。 客户端使用服务的 SSL 证书对服务进行身份验证。 通过 ClientCredentialType 可对客户端身份验证进行控制。

3) Message：使用 SOAP 消息安全提供安全性。对于BasicHttpBinding，系统要求向客户端单独提供服务器证书。此绑定的有效客户端凭据类型为UserName和Certificate。

4) TransportWithMessageCredential：完整性、保密性和服务器身份验证均由 HTTPS 提供。 此服务必须使用证书进行配置。 客户端身份验证采用SOAP消息安全方式提供。 如果要使用用户名或证书凭据对用户进行身份验证，并且存在用于保护消息传输的现有HTTPS部署，则适用此模式。

5) TransportCredentialOnly：此模式并不提供消息的完整性和保密性， 而是仅提供基于HTTP 的客户端身份验证。 使用此模式时一定要小心。 在通过其他方式（如IPSec）提供传输安全并且 基础结构只提供客户端身份验证的环境中，应该使用此模式。

可使用如代码清单11-75所示的配置方式配置安全模式。

代码清单11-75 配置安全模式

1:  <basicHttpBinding>

2:

3:          <binding name="basicBidingConf">

4:

5:    <security mode="None">

6:

7:            </security>

8:

9:          </binding>

10:

11:        </basicHttpBinding>

在代码清单11-74中我们看BasicHttpSecurity的第二个属性——Transport，该属性是HttpTransportSecurity实例。HttpTransportSecurity 类定义如代码清单11-75。

代码清单11-75 HttpTransportSecurity 类定义

1:  public sealed class HttpTransportSecurity

2:

3:  {

4:

5:  internal const HttpClientCredentialType DefaultClientCredentialType = HttpClientCredentialType.None;

6:

7:  internal const HttpProxyCredentialType DefaultProxyCredentialType = HttpProxyCredentialType.None;

8:

9:  internal const string DefaultRealm = "";

10:

11:  private HttpClientCredentialType clientCredentialType;

12:

13:  private HttpProxyCredentialType proxyCredentialType;

14:

15:  private string realm;

16:

17:  private ExtendedProtectionPolicy extendedProtectionPolicy;

18:

19:  public HttpClientCredentialType ClientCredentialType；

20:

21:  public HttpProxyCredentialType ProxyCredentialType；

22:

23:  public string Realm；

24:

25:  public ExtendedProtectionPolicy ExtendedProtectionPolicy；

26:

27:  public HttpTransportSecurity()

28:

29:      {

30:

31:  this.clientCredentialType = HttpClientCredentialType.None;

32:

33:  this.proxyCredentialType = HttpProxyCredentialType.None;

34:

35:  this.realm = "";

36:

37:  this.extendedProtectionPolicy = ChannelBindingUtility.DefaultPolicy;

38:

39:      }

40:

41:  }

42:

从代码清单11-75中我们知道HttpTransportSecurity 类包含四个属性：

1） ClientCredentialType属性。获取或设置要用于身份验证的客户端凭据的类型。默认值为HttpClientCredentialType.None。

2） ExtendedProtectionPolicy。获取或设置扩展保护策略，默认值为ChannelBindingUtility.DefaultPolicy。

3） ProxyCredentialType。获取或设置要用于针对代理进行身份验证的客户端凭据的类型。默认值为HttpProxyCredentialType.None。

4） Realm。获取或设置摘要式或基本身份验证的身份验证领域，默认值为空。

BasicHttpSecurity 类的第三个属性为BasicHttpMessageSecurity类，用来配置BasicHttpBinding的消息安全。该类定义如代码清单11-76所示。

代码清单11-76 BasicHttpMessageSecurity类定义

1:  public sealed class BasicHttpMessageSecurity

2:

3:  {internal const BasicHttpMessageCredentialType DefaultClientCredentialType=BasicHttpMessageCredentialType.UserName;

4:

5:  private BasicHttpMessageCredentialType clientCredentialType;

6:

7:  private SecurityAlgorithmSuite algorithmSuite;

8:

9:  public BasicHttpMessageCredentialType ClientCredentialType

10:

11:  {get{return this.clientCredentialType;}

12:

13:  set{

14:

15:  if (!BasicHttpMessageCredentialTypeHelper.IsDefined(value))

16:

17:  {

18:

19:  throw DiagnosticUtility.ExceptionUtility.ThrowHelperError(new ArgumentOutOfRangeException("value"));}

20:

21:  this.clientCredentialType = value;}

22:

23:  }

24:

25:  public SecurityAlgorithmSuite AlgorithmSuite

26:

27:  {

28:

29:  get{return this.algorithmSuite;}

30:

31:  set

32:

33:  {if (value == null)

34:

35:  {

36:

37:  throw DiagnosticUtility.ExceptionUtility.ThrowHelperArgumentNull("value");}

38:

39:  this.algorithmSuite = value;}

40:

41:  }

42:

43:  public BasicHttpMessageSecurity()

44:

45:  {

46:

47:  this.clientCredentialType = BasicHttpMessageCredentialType.UserName;

48:

49:  this.algorithmSuite = SecurityAlgorithmSuite.Default;

50:

51:  }}

52:

从代码清单11-76中我们可以看到BasicHttpMessageSecurity类包含两个属性：

1） AlgorithmSuite。指定要与 BasicHttpMessageSecurity 一起使用的算法组。

2） ClientCredentialType。发送安全消息指定客户端用以进行身份验证的凭据的类型。

那么在配置文件中如何配置BasicHttpSecurity呢？代码清单11-77给出了一般配置选项。

代码清单11-77 配置BasicHttpSecurity

1:  <basicHttpBinding>

2:

3:  <binding

4:

5:  transferMode="Buffered/Streamed/StreamedRequest/StreamedResponse"

6:

7:  useDefaultWebProxy="Boolean"

8:

9:  <security mode="None/Transport/Message/TransportWithMessageCredential/TransportCredentialOnly">

10:

11:  <transport clientCredentialType="None/Basic/Digest/Ntlm/Windows/Certificate" proxyCredentialType="None/Basic/Digest/Ntlm/Windows"

12:

13:  realm="string" />

14:

15:  <message algorithmSuite="Basic128/Basic192/Basic256/Basic128Rsa15/Basic256Rsa15/TripleDes/TripleDesRsa15/Basic128Sha256/Basic192Sha256/TripleDesSha256/Basic128Sha256Rsa15/Basic192Sha256Rsa15/Basic256Sha256Rsa15/TripleDesSha256Rsa15"

16:

17:  clientCredentialType="UserName/Certificate"/>

18:

19:  </security>

20:

21:  <readerQuotas maxDepth="Integer"

22:

23:  maxStringContentLength="Integer"

24:

25:  maxByteArrayContentLength="Integer"

26:

27:  maxBytesPerRead="Integer"

28:

29:  maxNameTableCharCount="Integer" />

30:

31:  </binding>

32:

33:  </basicHttpBinding>

34:

代码清单11-77所示的配置节中各项的含义读者可以参考BasicHttpSecurity 类的个属性进行解读，这里就不再重复了。下面我们通过实例继续探讨BasicHttpBinding的更多安全特性。

转自：http://www.cnblogs.com/xuanhun/archive/2011/06/27/2091302.html